Get SMB Share Access Decision Making

This topic contains 3 replies, has 2 voices, and was last updated by  Curtis Smith 10 months, 3 weeks ago.

  • Author
    Posts
  • #54881

    Brian Clanton
    Participant

    I am having a hard time with implementing this logic using get-smbshareAcess cmdlet.....This is my goal in PseudoCode.

    Recursively go through Root folders and do the following....

    —————–

    Get-SMBShareAccess for folder
    If Folder has share permissions for Domain Admins
       If Folder has Full Control for Domain Admins
               Do Nothing
         Else modify existing share permissions and apply full control for Domain Admins, REvoke everything else.
    Else
       Add Domain Admin rights and give full share permissions

    —————-

    I am trouble iterating through multiple share permissions on a single folder with get-smbshareaccess.

    • This topic was modified 10 months, 3 weeks ago by  Brian Clanton.
    • This topic was modified 10 months, 3 weeks ago by  Brian Clanton.
  • #54886

    Curtis Smith
    Participant

    Hey Brian,
    What have you tried and where are you having issues?

    Also I don't completely follow the logic of what you have asked. It seems that if Domain Admins is there but doesn't have Full control, then remove everything and give Domain Admins full control, which the end result is just Domain Admins with full control. If Domain Admins is already there with full control then just leave everything exactly like it is, even if there are other permissions there giving other users/groups access. The end result is not the same as the first scenario. Lastly if Domain Admins is not there, just add it with full control and do nothing else even if other users/groups are there with access. Again, this leaves the end result in a different state than the first scenario. If that is what you intend then OK, just seems a little strange to me.

    If the end result is to have Domain Admins with full control and no other permissions granted to any other groups or users, then it would be simple enough to say revoke all permissions that are not domain admin and make sure domain admin is granted full.

    Adversely if the end result is to have Domain Admins with full control regardless of the other user/group permissions already in place, it would be simple enough just to grant Full control permission to Domain Admins.

    We just need clarification on what the goal is and what you have tried so far so we can help get you unstuck.

  • #54898

    Brian Clanton
    Participant

    End Game is that I am going to define a set of universal Share permissions where based on the company folder, I will give specific Group Share Permissions to that folder plus Domain admin Share Permissions.

    To keep my pseudo – Code simple, I just used the Domain Admin permission example, but what I need to do is:

    1. Test to see if folder has a specific share
    2. If it doesn't have specific share permissions, give it that permission (in my example above, give it Domain Admin permissions)
    2. If it does have that permission, Add that share permission and make sure that permission has Full Control of that share and then revoke everything else.

    I can grab the account share permissions like this:

    PS C:\WINDOWS\system32> get-smbshareAccess test$ | select-object AccountName
    
    AccountName
    -----------
    W10-BCLANTON\techpro
    Everyone
    

    So my next step, from this output is to iterate through each permission and make my appropriate tests on that output. However, I can't seem to pipe each permission individually to determine if what I need for the default share permission is there is there or not.

    This is the last piece of a bigger project, but once I can grab each one of these credentials and assign to a variable, I should be able to complete the project.

    • This reply was modified 10 months, 3 weeks ago by  Brian Clanton.
    • This reply was modified 10 months, 3 weeks ago by  Brian Clanton.
    • This reply was modified 10 months, 3 weeks ago by  Brian Clanton.
  • #54918

    Curtis Smith
    Participant

    Based on your last description, you don't really need to iterate through each permission. You just need to find out if a permission exists for the group you are working with IE domain admins. Also for this statement "2. If it does have that permission, Add that share permission and make sure that permission has Full Control of that share and then revoke everything else." Based on the other statements I will make the assumption that "then revoke everything else." does not mean revoke all the permissions for other users/groups that have access to the share, but rather revoke all previously existing permissions for the group you are working with.

    Here is some sample code to help you get started:

    #Define our target folder and group
    $folder = "C:\test"
    $group = "Domain Admins"
    
    #Use Get-SMBShare to list shares, then filter those shares where the path is our target folder, then use Get-SMBShareAccess to get permissions on those shares
    $permissions = get-smbshare | Where-Object {$_.Path -eq $folder} | Get-SmbShareAccess
    
    #From the permissions filter for only the ones where the account name ends with our target group
    $grouppermissions = $permissions | Where-Object {$_.AccountName -match "$group$"}
    
    #If so desired, revoke all share permissions that are not our target group. Add -force to Revoke-SmbShareAccess to not prompt for confirmation.
    $permissions | Where-Object {$_.AccountName -notmatch "$group$"} | ForEach-Object {Revoke-SmbShareAccess -Name $_.name -AccountName $_.AccountName} | Out-Null
    
    #Grant target group Full Control to share.  Add -force to Grant-SmbShareAccess to not prompt for confirmation
    if ($grouppermissions -and $grouppermissions.AccessRight -ne "Full") {
        Grant-SmbShareAccess -Name $grouppermissions.Name -AccountName $grouppermissions.AccountName -AccessRight Full | Out-Null
    }
    • This reply was modified 10 months, 3 weeks ago by  Curtis Smith.

You must be logged in to reply to this topic.